Interactive and Non-Interactive Proofs of Knowledge
Olivier Blazy
ENS / CNRS / INRIA / Paris 7 → RUB
Sept 2012
O. Blazy (ENS → RUB) INIPoK Sept 2012 1 / 63
1 General Remarks
2 Building blocks
3 Non-Interactive Proofs of Knowledge
4 Interactive Implicit Proofs
O. Blazy (ENS → RUB) INIPoK Sept 2012 2 / 63
1 General Remarks
2 Building blocks
3 Non-Interactive Proofs of Knowledge
4 Interactive Implicit Proofs
O. Blazy (ENS → RUB) INIPoK Sept 2012 2 / 63
1 General Remarks
2 Building blocks
3 Non-Interactive Proofs of Knowledge
4 Interactive Implicit Proofs
O. Blazy (ENS → RUB) INIPoK Sept 2012 2 / 63
1 General Remarks
2 Building blocks
3 Non-Interactive Proofs of Knowledge
4 Interactive Implicit Proofs
O. Blazy (ENS → RUB) INIPoK Sept 2012 2 / 63
Proof of Knowledge
Alice Bob
interactive method for one party to prove to another the knowledge of asecret S.
1 Completeness: S is true veri�er will be convinced of this fact
2 Soundness: S is false no cheating prover can convince the veri�er that Sis true
Classical Instantiations : Schnorr proofs, Sigma Protocols . . .
O. Blazy (ENS → RUB) INIPoK Sept 2012 3 / 63
Zero-Knowledge Proof Systems
Introduced in 1985 by Goldwasser, Micali and Racko�.
Reveal nothing other than the validity of assertion being proven
Used in many cryptographic protocols
Anonymous credentials
Anonymous signatures
Online voting
. . .
O. Blazy (ENS → RUB) INIPoK Sept 2012 4 / 63
Zero-Knowledge Proof Systems
Introduced in 1985 by Goldwasser, Micali and Racko�.
Reveal nothing other than the validity of assertion being proven
Used in many cryptographic protocols
Anonymous credentials
Anonymous signatures
Online voting
. . .
O. Blazy (ENS → RUB) INIPoK Sept 2012 4 / 63
Zero-Knowledge Proof Systems
Introduced in 1985 by Goldwasser, Micali and Racko�.
Reveal nothing other than the validity of assertion being proven
Used in many cryptographic protocols
Anonymous credentials
Anonymous signatures
Online voting
. . .
O. Blazy (ENS → RUB) INIPoK Sept 2012 4 / 63
Zero-Knowledge Interactive Proof
Alice Bob
interactive method for one party to prove to another that a statement S istrue, without revealing anything other than the veracity of S.
1 Completeness: if S is true, the honest veri�er will be convinced of this fact
2 Soundness: if S is false, no cheating prover can convince the honest veri�erthat it is true
3 Zero-knowledge: if S is true, no cheating veri�er learns anything other thanthis fact.
O. Blazy (ENS → RUB) INIPoK Sept 2012 5 / 63
Zero-Knowledge Interactive Proof
Alice Bob
interactive method for one party to prove to another that a statement S istrue, without revealing anything other than the veracity of S.
1 Completeness: if S is true, the honest veri�er will be convinced of this fact
2 Soundness: if S is false, no cheating prover can convince the honest veri�erthat it is true
3 Zero-knowledge: if S is true, no cheating veri�er learns anything other thanthis fact.
O. Blazy (ENS → RUB) INIPoK Sept 2012 5 / 63
Non-Interactive Zero-Knowledge Proof
Alice Bob
non-interactive method for one party to prove to another that a statement Sis true, without revealing anything other than the veracity of S.
1 Completeness: S is true veri�er will be convinced of this fact
2 Soundness: S is false no cheating prover can convince the veri�er that Sis true
3 Zero-knowledge: S is true no cheating veri�er learns anything other thanthis fact.
O. Blazy (ENS → RUB) INIPoK Sept 2012 6 / 63
History of NIZK Proofs
Ine�cient NIZK
Blum-Feldman-Micali, 1988.
. . .
De Santis-Di Crescenzo-Persiano, 2002.
Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZKBut limited by the Random Oracle
E�cient NIZK
Groth-Ostrovsky-Sahai, 2006.
Groth-Sahai, 2008.
O. Blazy (ENS → RUB) INIPoK Sept 2012 7 / 63
History of NIZK Proofs
Ine�cient NIZK
Blum-Feldman-Micali, 1988.
. . .
De Santis-Di Crescenzo-Persiano, 2002.
Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZKBut limited by the Random Oracle
E�cient NIZK
Groth-Ostrovsky-Sahai, 2006.
Groth-Sahai, 2008.
O. Blazy (ENS → RUB) INIPoK Sept 2012 7 / 63
History of NIZK Proofs
Ine�cient NIZK
Blum-Feldman-Micali, 1988.
. . .
De Santis-Di Crescenzo-Persiano, 2002.
Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof NIZKBut limited by the Random Oracle
E�cient NIZK
Groth-Ostrovsky-Sahai, 2006.
Groth-Sahai, 2008.
O. Blazy (ENS → RUB) INIPoK Sept 2012 7 / 63
Applications of NIZK Proofs
Fancy signature schemes
group signatures
ring signatures
traceable signatures
E�cient non-interactive proof of correctness of shu�e
Non-interactive anonymous credentials
CCA-2-secure encryption schemes (with public veri�ability)
Identi�cation
E-voting, E-cash
. . .
O. Blazy (ENS → RUB) INIPoK Sept 2012 8 / 63
Conditional Actions
Certi�cation of a public key
Group Manager User
pk←→ Cert
π The User should know the associated sk.
O. Blazy (ENS → RUB) INIPoK Sept 2012 9 / 63
Conditional Actions
Signature of a blinded message
Signer User
C(M)←→ σ
π The User should know the plaintext M.
O. Blazy (ENS → RUB) INIPoK Sept 2012 9 / 63
Conditional Actions
Transmission of private information
Server User
Request ←→ info
π The User should possess some credentials.
O. Blazy (ENS → RUB) INIPoK Sept 2012 9 / 63
Soundness
Only people proving they know the expected secret should be able to accessthe information.
Zero-Knowledge
The authority should not learn said secret.
O. Blazy (ENS → RUB) INIPoK Sept 2012 10 / 63
1 General Remarks
2 Building blocksBilinear groups aka Pairing-friendly environmentsCommitment / EncryptionSignaturesSecurity hypotheses
3 Non-Interactive Proofs of Knowledge
4 Interactive Implicit Proofs
O. Blazy (ENS → RUB) INIPoK Sept 2012 11 / 63
Symmetric bilinear structure
(p,G,GT , e, g) bilinear structure:
G, GT multiplicative groups of order p
p = prime integer
〈g〉 = G
e : G×G→ GT
〈e(g , g)〉 = GT
e(g a, gb) = e(g , g)ab, a, b ∈ Z
deciding group membership,
group operations,
bilinear map
e�ciently computable.
O. Blazy (ENS → RUB) INIPoK Sept 2012 12 / 63
De�nition (Encryption Scheme)
E = (Setup,EKeyGen,Encrypt,Decrypt):
Setup(1K): param;
EKeyGen(param): public encryption key pk, private decryption key dk;
Encrypt(pk,m; r): ciphertext c on m ∈M and pk;
Decrypt(dk, c): decrypts c under dk.
r
pk, r
dk
CF(M)
EncryptSE
DecryptE
r ′
RandomE
Indistinguishability:Given M0,M1, it should be hard to guess which one is encrypted in C .
O. Blazy (ENS → RUB) INIPoK Sept 2012 13 / 63
De�nition (Linear Encryption) (BBS04)
Setup(1K): Generates a multiplicative group (p,G, g).
EKeyGenE(param): dk = (µ, ν)$← Z2
p, and pk = (X1 = gµ,X2 = gν).
Encrypt(pk = (X1,X2),M;α, β): For M, and random α, β$← Z2
p,
C =(c1 = Xα
1 , c2 = Xβ2 , c3 = gα+β ·M
).
Decrypt(dk = (µ, ν), C = (c1, c2, c3)): Computes M = c3/(c1/µ1 c
1/ν2 ).
Randomization
Random(pk, C; r , s) : C′ =(c1X
r1 , c2X
s2 , c3g
r+s)=(Xα+r1 ,Xβ+s
2 , gα+r+β+s ·M)
O. Blazy (ENS → RUB) INIPoK Sept 2012 14 / 63
De�nition (Commitment Scheme)
E = (Setup,Commit,Decommit):
Setup(1K): param, ck;
Commit(ck,m; r): c on the input message m ∈M using r$← R;
Decommit(c,m;w) opens c and reveals m, together with w that proves thecorrect opening.
CM
rDecommit
Commitck, r
O. Blazy (ENS → RUB) INIPoK Sept 2012 15 / 63
Pedersen
Setup(1K): g , h ∈ G;Commit(m; r): c = gmhr ;
Decommit(c,m; r): c ?= gmhr .
O. Blazy (ENS → RUB) INIPoK Sept 2012 16 / 63
s ′
sk;s
σ(F)
F(M)
SignS
RandomS
De�nition (Signature Scheme)
S = (Setup, SKeyGen, Sign,Verif):
Setup(1K): param;
SKeyGen(param): public veri�cation key vk, privatesigning key sk;
Sign(sk,m; s): signature σ on m, under sk;
Verif(vk,m, σ): checks whether σ is valid on m.
Unforgeability:Given q pairs (mi , σi ), it should be hard to output a valid σ on a fresh m.
O. Blazy (ENS → RUB) INIPoK Sept 2012 17 / 63
De�nition (Waters Signature) (Wat05)
SetupS(1K): Generates (p,G,GT , e, g), an extra h, and (ui ) for the Waters
function (F(m) = u0∏
i umi
i ).
SKeyGenS(param): Picks x$← Zp and outputs sk = hx , and vk = g x ;
Sign(sk,m; s): Outputs σ(m) = (skF(m)s , g s);
Verif(vk,m, σ): Checks the validity of σ: e(g , σ1)?= e(F(m), σ2) · e(vk, h)
Randomization
Random(σ; r) : σ′ =(σ1F(m)r , σ2g
r)=(skF(m)r+s , g r+s
)
O. Blazy (ENS → RUB) INIPoK Sept 2012 18 / 63
De�nition (DL)
Given g , h ∈ G2, it is hard to compute α such that h = gα.
De�nition (CDH)
Given g , g a, h ∈ G3, it is hard to compute ha.
De�nition (DLin)
Given u, v ,w , ua, vb,w c ∈ G6, it is hard to decide whether c = a+ b.
O. Blazy (ENS → RUB) INIPoK Sept 2012 19 / 63
1 General Remarks
2 Building blocks
3 Non-Interactive Proofs of KnowledgeGroth Sahai methodologyMotivationSignature on CiphertextsApplication to other protocolsWaters Programmability
4 Interactive Implicit Proofs
O. Blazy (ENS → RUB) INIPoK Sept 2012 20 / 63
Groth-Sahai Proof System
Pairing product equation (PPE): for variables X1, . . . ,Xn ∈ G
(E ) :n∏
i=1
e(Ai ,Xi )n∏
i=1
n∏j=1
e(Xi ,Xj)γi,j = tT
determined by Ai ∈ G, γi,j ∈ Zp and tT ∈ GT .
Groth-Sahai WI proofs that elements in G that were committed to satisfyPPE
Setup(G): commitment key ck;
Com(ck, X ∈ G; ρ): commitment ~cX to X ;
Prove(ck, (Xi , ρi )i=1,...,n, (E )): proof φ;
Verify(ck, ~cXi , (E ), φ): checks whether φ is valid.
O. Blazy (ENS → RUB) INIPoK Sept 2012 21 / 63
Groth-Sahai Proof System
Pairing product equation (PPE): for variables X1, . . . ,Xn ∈ G
(E ) :n∏
i=1
e(Ai ,Xi )n∏
i=1
n∏j=1
e(Xi ,Xj)γi,j = tT
determined by Ai ∈ G, γi,j ∈ Zp and tT ∈ GT .
Groth-Sahai WI proofs that elements in G that were committed to satisfyPPE
Setup(G): commitment key ck;
Com(ck, X ∈ G; ρ): commitment ~cX to X ;
Prove(ck, (Xi , ρi )i=1,...,n, (E )): proof φ;
Verify(ck, ~cXi , (E ), φ): checks whether φ is valid.
O. Blazy (ENS → RUB) INIPoK Sept 2012 21 / 63
(E ) :n∏
i=1
e(Ai ,Xi )n∏
i=1
n∏j=1
e(Xi ,Xj)γi,j = tT
Assumption DLin SXDH SDVariables 3 2 1PPE 9 (2,2) 1Linear 3 2 1
Veri�cation 12n + 27 5m + 3n + 16 n + 1[ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1
Properties:
correctness
soundness
witness-indistinguishability
randomizability Commitments and proofs are publicly randomizable.
O. Blazy (ENS → RUB) INIPoK Sept 2012 22 / 63
(E ) :n∏
i=1
e(Ai ,Xi )n∏
i=1
n∏j=1
e(Xi ,Xj)γi,j = tT
Assumption DLin SXDH SDVariables 3 2 1PPE 9 (2,2) 1Linear 3 2 1
Veri�cation 12n + 27 5m + 3n + 16 n + 1[ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1
Properties:
correctness
soundness
witness-indistinguishability
randomizability Commitments and proofs are publicly randomizable.
O. Blazy (ENS → RUB) INIPoK Sept 2012 22 / 63
(E ) :n∏
i=1
e(Ai ,Xi )n∏
i=1
n∏j=1
e(Xi ,Xj)γi,j = tT
Assumption DLin SXDH SDVariables 3 2 1PPE 9 (2,2) 1Linear 3 2 1
Veri�cation 12n + 27 5m + 3n + 16 n + 1[ACNS 2010: BFI+] 3n + 6 m + 2n + 8 n + 1
Properties:
correctness
soundness
witness-indistinguishability
randomizability Commitments and proofs are publicly randomizable.
O. Blazy (ENS → RUB) INIPoK Sept 2012 22 / 63
Electronic Voting
For dessert, we let people vote
X Chocolate Cake
X Cheese Cake
X Fruit Salad
X Brussels Sprout
After collection, we count the number of ballots:
Chocolate Cake 123Cheese Cake 79Fruit Salad 42Brussels sprout 1
O. Blazy (ENS → RUB) INIPoK Sept 2012 23 / 63
Authentication
Only people authorized to vote should be able to vote
People should be able to vote only once
Anonymity
Votes and voters should be anonymous
4 Receipt freeness
O. Blazy (ENS → RUB) INIPoK Sept 2012 24 / 63
Homomorphic Encryption and Signature approach
The voter generates his vote v .
The voter encrypts v to the server as c .
The voter signs c and outputs σ.
(c , σ) is a ballot unique per voter, and anonymous.
Counting: granted homomorphic encryption C =∏
c .
The server decrypts C .
O. Blazy (ENS → RUB) INIPoK Sept 2012 25 / 63
Electronic Cash
Deposit
Withdraw
SpendRandom
ize Randomize
Identify
O. Blazy (ENS → RUB) INIPoK Sept 2012 26 / 63
Protocol
Withdrawal: A user get a coin c from the bank
Spending: A user pays a shop with the coin c
Deposit: The shop gives the coin c back to the bank
Electronic Coins Chaum 81
Expected properties
X Unforgeability Coins are signed by the bank
X No Double-Spending Each coin is unique
X Anonymity Blind Signature
De�nition (Blind Signature)
A blind signature allows a user to get a message m signed by an authority into σso that the authority even powerful cannot recognize later the pair (m, σ).
O. Blazy (ENS → RUB) INIPoK Sept 2012 27 / 63
Round-Optimal Blind Signature Fischlin 06
The user encrypts his message m in c .
The signer then signs c in σ.
The user veri�es σ.
He then encrypts σ and c into Cσ and C and generates a proof π.
π: Cσ is an encryption of a signature over the ciphertext c encrypted in C,and this c is indeed an encryption of m.
Anyone can then use C, Cσ, π to check the validity of the signature.
O. Blazy (ENS → RUB) INIPoK Sept 2012 28 / 63
Vote
A user should be able to encrypt a ballot.
He should be able to sign this encryption.
Receiving this vote, one should be able to randomize for Receipt-Freeness.
E-Cash
A user should be able to encrypt a token
The bank should be able to sign it providing Unforgeability
This signature should now be able to be randomized to provide Anonymity
Our Solution
Same underlying requirements;
Advance security notions in both schemes requires to extract some kind ofsignature on the associated plaintext;
General Framework for Signature on Randomizable Ciphertexts;
Revisited Waters, Commutative encryption / signature.
O. Blazy (ENS → RUB) INIPoK Sept 2012 29 / 63
Commutative properties
Encrypt
To encrypt a message m:
c = (pk1r1 , pk2
r2 ,F(m) · g r1+r2)
O. Blazy (ENS → RUB) INIPoK Sept 2012 30 / 63
Commutative properties
Encrypt
To encrypt a message m:
c = (pk1r1 , pk2
r2 ,F(m) · g r1+r2)
Sign ◦ EncryptTo sign a valid ciphertext c1, c2, c3, one has simply to produce.
σ = (c1s , c2
s , sk · c3s , pk1s , pk2s , g s) .
O. Blazy (ENS → RUB) INIPoK Sept 2012 30 / 63
Commutative properties
Encrypt
To encrypt a message m:
c = (pk1r1 , pk2
r2 ,F(m) · g r1+r2)
Sign ◦ EncryptTo sign a valid ciphertext c1, c2, c3, one has simply to produce.
σ = (c1s , c2
s , sk · c3s , pk1s , pk2s , g s) .
Decrypt ◦ Sign ◦ EncryptUsing dk.
σ = (σ3/σdk11 · σdk22 , σ6) = (sk · F(m)s , g s) .
O. Blazy (ENS → RUB) INIPoK Sept 2012 30 / 63
De�nition (Signature on Ciphertexts)
SE = (Setup, SKeyGen,EKeyGen,Encrypt, Sign,Decrypt,Verif):
Setup(1K): parame , params ;
EKeyGen(parame): pk, dk;
SKeyGen(params): vk, sk;
Encrypt(pk, vk,m; r): produces c on m ∈M and pk;
Sign(sk, pk, c ; s): produces σ, on the input c under sk;
Decrypt(dk, vk, c): decrypts c under dk;
Verif(vk, pk, c , σ): checks whether σ is valid.
De�nition (Extractable Randomizable Signature on Ciphertexts)
SE=(Setup, SKeyGen,EKeyGen,Encrypt, Sign,Random,Decrypt,Verif,SigExt):Random(vk, pk, c , σ; r ′, s ′) produces c ′ and σ′ on c ′, using additional coins;
SigExt(dk, vk, σ) outputs a signature σ∗.
O. Blazy (ENS → RUB) INIPoK Sept 2012 31 / 63
Randomizable Signature on Ciphertexts [PKC 2011: BFPV]
s ′
dk
r
pk, r
dk
sk,pk,c;s
sk;s
σ(C )
C
EncryptSE
DecryptE
r
SigExtSE
SignS
SignSE
RandomS
M
σ(M)
O. Blazy (ENS → RUB) INIPoK Sept 2012 32 / 63
Extractable SRC
s′
dk
r
pk, r
dk
sk,pk,c
;s
sk;s
r′ , s
′
σ(C)σ(M)
CM
EncryptSE
DecryptE
r
SigExtSE
SignS
SignSE
r ′
RandomE
RandomS
RandomSE
O. Blazy (ENS → RUB) INIPoK Sept 2012 33 / 63
E-Voting [PKC 2011: BFPV]
dk
r
pk, r
sk,pk,c;s
r′ , s
′
σ(C )σ(F)
CF(M)
EncryptSE
SignSE
Random
SE
SigExtSE
Authority
User
O. Blazy (ENS → RUB) INIPoK Sept 2012 34 / 63
Blind Signature [PKC 2011: BFPV]
s ′
dk
r
pk, r
dk
sk,pk,c;s
σ(C )σ(F)
CF(M)
EncryptSE
DecryptE
r
SigExtSE
SignSE
RandomS
SignerUser
O. Blazy (ENS → RUB) INIPoK Sept 2012 35 / 63
Partially-Blind Signature
User Signer
info←−−−−−−−−−−→C ′ = C (M, info)
−−−−−−−−−−−−−−−→σ(C ′)
←−−−−−−−−−−−−−−−
O. Blazy (ENS → RUB) INIPoK Sept 2012 36 / 63
Partially-Blind Signature
User Signer
C ′ = C (M, info)−−−−−−−−−−−−−−−→
σ(C ′, infos)←−−−−−−−−−−−−−−−
O. Blazy (ENS → RUB) INIPoK Sept 2012 36 / 63
Signer-Friendly Partially Blind Signature [SCN 2012: BPV]
s ′
rF(M)
r
RandomS
UserBlindBSpkBS , r
SignBS
σ(F ′)
Verif
UnblindBS
Signer
C ′
σ(C ′)
infos
C info
skBS,C
′ ,info
s;s
O. Blazy (ENS → RUB) INIPoK Sept 2012 37 / 63
Multi-Source Blind Signatures
Wireless Sensor Network
Captors Central Hub Receiver
c1−−−−−−−−−−−→C =
∏ci
−−−−−−−−−−−→ci−−−−−−−−−−−→cn−−−−−−−−−−−→
σ(C , s)−−−−−−−−−−−→
O. Blazy (ENS → RUB) INIPoK Sept 2012 38 / 63
Multi-Source Blind Signatures [SCN 2012: BPV]
SignerBlindBS
SignBS
RandomS
s ′
pkBS , ri
ri Ci
σ(∏
Ci)
Fi
σ(∏F)
dkBS
User i
R skBS,C
1,...,C
n;s
UnblindBS
Verif
O. Blazy (ENS → RUB) INIPoK Sept 2012 39 / 63
Two solutions
Di�erent Generators
Each captor has a disjoint set of generators for the Waters function
Enormous public key
O. Blazy (ENS → RUB) INIPoK Sept 2012 40 / 63
Two solutions
Di�erent Generators
Each captor has a disjoint set of generators for the Waters function
Enormous public key
O. Blazy (ENS → RUB) INIPoK Sept 2012 40 / 63
Two solutions
Di�erent Generators
Each captor has a disjoint set of generators for the Waters function
Enormous public key
A single set of generators
The captors share the same set of generators
Waters over a non-binary alphabet?
O. Blazy (ENS → RUB) INIPoK Sept 2012 40 / 63
Two solutions
Di�erent Generators
Each captor has a disjoint set of generators for the Waters function
Enormous public key
A single set of generators
The captors share the same set of generators
Waters over a non-binary alphabet?
O. Blazy (ENS → RUB) INIPoK Sept 2012 40 / 63
Programmability of Waters over a non-binary alphabet
De�nition ((m, n)-programmability)
F is (m, n) programmable if given g , h there is an e�cient trapdoor producingaX , bX such that F (X ) = g aX hbX , and for all Xi ,Zj ,Pr [aX1 = · · · = aXm = 0 ∧ aZ1 · . . . · aZn 6= 0] is not negligible.
(1, q)-Programmability of Waters function
Why do we need it: Unforgeabilty, q signing queries, 1 signature to exploit. Choose independent and uniform elements (ai )(1,...,`) in {−1, 0, 1}, andrandom exponents (bi )(0,...,`), and setting a0 = −1.Then ui = g aihbi .
F(m) = u0∏
umi
i = g∑δi
aih∑δi
bi = g amhbm .
O. Blazy (ENS → RUB) INIPoK Sept 2012 41 / 63
Non (2, 1)-programmability
Waters over a non-binary alphabet is not (2, 1)-programmable.
(1, q)-programmability
Waters over a polynomial alphabet remains (1, q)-programmable.
O. Blazy (ENS → RUB) INIPoK Sept 2012 42 / 63
Sum of random walks on polynomial alphabets
Local Central Limit Theorem Lindeberg Feller
O. Blazy (ENS → RUB) INIPoK Sept 2012 43 / 63
New primitive: Signature on Randomizable Ciphertexts [PKC 2011: BFPV]
X One Round Blind Signature [PKC 2011: BFPV]
X Receipt Free E-Voting [PKC 2011: BFPV]
X Signer-Friendly Blind Signature [SCN 2012: BPV]
X Multi-Source Blind Signature [SCN 2012: BPV]
E�ciency
DLin + CDH : 9`+ 24 Group elements.
SXDH + CDH+ : 6`+ 15, 6`+ 7 Group elements.
Other results based on Groth Sahai Methodology:
Traceable Signatures [2012: BP]
Transferable E-Cash [Africacrypt 2011: BCF+]
O. Blazy (ENS → RUB) INIPoK Sept 2012 44 / 63
1 General Remarks
2 Building blocks
3 Non-Interactive Proofs of Knowledge
4 Interactive Implicit ProofsMotivationSmooth Projective Hash FunctionApplication to various protocolsManageable Languages
O. Blazy (ENS → RUB) INIPoK Sept 2012 45 / 63
Certi�cation of Public Keys: (NI)ZKPoK
Certi�cation of a public key
Server User
pk←→ π(sk)←→ Cert
O. Blazy (ENS → RUB) INIPoK Sept 2012 46 / 63
Certi�cation of Public Keys: (NI)ZKPoK
Certi�cation of a public key
Server User
pk←→ π(sk)←→ Cert
O. Blazy (ENS → RUB) INIPoK Sept 2012 46 / 63
Certi�cation of Public Keys: (NI)ZKPoK
Certi�cation of a public key
Server User
pk←π(sk)
→ Cert
O. Blazy (ENS → RUB) INIPoK Sept 2012 46 / 63
Certi�cation of Public Keys: (NI)ZKPoK
Certi�cation of a public key
Server User
pk←π(sk)
→ Cert
O. Blazy (ENS → RUB) INIPoK Sept 2012 46 / 63
Certi�cation of Public Keys: (NI)ZKPoK
Certi�cation of a public key
Server User
pk←π(sk)
→ Cert
π can be forwarded
O. Blazy (ENS → RUB) INIPoK Sept 2012 46 / 63
Certi�cation of Public Keys: SPHF [ACP09]
A user can ask for the certi�cation of pk, but if he knows the associated sk only:
With a Smooth Projective Hash Function
L: pk and C = C(sk; r) are associated to the same sk
U sends his pk, and an encryption C of sk;
A generates the certi�cate Cert for pk, and sends it,masked by Hash = Hash(hk; (pk,C ));
U computes Hash = ProjHash(hp; (pk,C ), r)), and gets Cert.
O. Blazy (ENS → RUB) INIPoK Sept 2012 47 / 63
Certi�cation of Public Keys: SPHF [ACP09]
A user can ask for the certi�cation of pk, but if he knows the associated sk only:
With a Smooth Projective Hash Function
L: pk and C = C(sk; r) are associated to the same sk
U sends his pk, and an encryption C of sk;
A generates the certi�cate Cert for pk, and sends it,masked by Hash = Hash(hk; (pk,C ));
U computes Hash = ProjHash(hp; (pk,C ), r)), and gets Cert.
Implicit proof of knowledge of sk
O. Blazy (ENS → RUB) INIPoK Sept 2012 47 / 63
Smooth Projective Hash Functions [CS02]
De�nition [CS02,GL03]
Let {H} be a family of functions:
X , domain of these functions
L, subset (a language) of this domain
such that, for any point x in L, H(x) can be computed by using
either a secret hashing key hk: H(x) = HashL(hk; x);
or a public projected key hp: H ′(x) = ProjHashL(hp; x ,w)
Public mapping hk 7→ hp = ProjKGL(hk, x)
O. Blazy (ENS → RUB) INIPoK Sept 2012 48 / 63
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
Smoothness
For any x 6∈ L, H(x) and hp are independent
Pseudo-Randomness
For any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (ENS → RUB) INIPoK Sept 2012 49 / 63
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
Smoothness
For any x 6∈ L, H(x) and hp are independent
Pseudo-Randomness
For any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (ENS → RUB) INIPoK Sept 2012 49 / 63
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
Smoothness
For any x 6∈ L, H(x) and hp are independent
Pseudo-Randomness
For any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (ENS → RUB) INIPoK Sept 2012 49 / 63
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
Smoothness
For any x 6∈ L, H(x) and hp are independent
Pseudo-Randomness
For any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (ENS → RUB) INIPoK Sept 2012 49 / 63
Certi�cation of Public Keys: SPHF [ACP09]
Certi�cation of a public key
Server User
pk,C = C(sk; r)←→ P = Cert⊕ Hash(hk; (pk,C ))
hp = ProjKG(hk,C )
P ⊕ ProjHash(hp; (pk,C ), r) = Cert
O. Blazy (ENS → RUB) INIPoK Sept 2012 50 / 63
Certi�cation of Public Keys: SPHF [ACP09]
Certi�cation of a public key
Server User
pk,C = C(sk; r)←→ P = Cert⊕ Hash(hk; (pk,C ))
hp = ProjKG(hk,C )
P ⊕ ProjHash(hp; (pk,C ), r) = CertImplicit proof of knowledge of sk
O. Blazy (ENS → RUB) INIPoK Sept 2012 50 / 63
Oblivious Signature-Based Envelope (OSBE) [LDB03]
A sender S wants to send a message P to U such that
U gets P i� it owns σ(m) valid under vk
S does not learn whereas U gets the message P or not
Correctness: if U owns a valid signature, he learns P
Security Notions
Oblivious: S does not know whether U owns a valid signature(and thus gets the message);
Semantic Security: U does not learn any information about Pif he does not own a valid signature.
O. Blazy (ENS → RUB) INIPoK Sept 2012 51 / 63
Oblivious Signature-Based Envelope (OSBE) [LDB03]
A sender S wants to send a message P to U such that
U gets P i� it owns σ(m) valid under vk
S does not learn whereas U gets the message P or not
Correctness: if U owns a valid signature, he learns P
Security Notions
Oblivious: S does not know whether U owns a valid signature(and thus gets the message);
Semantic Security: U does not learn any information about Pif he does not own a valid signature.
O. Blazy (ENS → RUB) INIPoK Sept 2012 51 / 63
Oblivious Signature-Based Envelope (OSBE) [LDB03]
A sender S wants to send a message P to U such that
U gets P i� it owns σ(m) valid under vk
S does not learn whereas U gets the message P or not
Correctness: if U owns a valid signature, he learns P
Security Notions
Oblivious: S does not know whether U owns a valid signature(and thus gets the message);
Semantic Security: U does not learn any information about Pif he does not own a valid signature.
O. Blazy (ENS → RUB) INIPoK Sept 2012 51 / 63
One-Round OSBE from IBE
The authority owns the master key of an IBE scheme,and provides the decryption key (signature) associated to m to U.
S wants to send a message P to U, if U owns a valid signature.
S encrypts P under the identity m.
Security properties
Correct: trivial
Oblivious: no message sent!
Semantic Security: IND-CPA of the IBE
But the authority can decrypt everything!
O. Blazy (ENS → RUB) INIPoK Sept 2012 52 / 63
One-Round OSBE from IBE
The authority owns the master key of an IBE scheme,and provides the decryption key (signature) associated to m to U.
S wants to send a message P to U, if U owns a valid signature.
S encrypts P under the identity m.
Security properties
Correct: trivial
Oblivious: no message sent!
Semantic Security: IND-CPA of the IBE
But the authority can decrypt everything!
O. Blazy (ENS → RUB) INIPoK Sept 2012 52 / 63
One-Round OSBE from IBE
The authority owns the master key of an IBE scheme,and provides the decryption key (signature) associated to m to U.
S wants to send a message P to U, if U owns a valid signature.
S encrypts P under the identity m.
Security properties
Correct: trivial
Oblivious: no message sent!
Semantic Security: IND-CPA of the IBE
But the authority can decrypt everything!
O. Blazy (ENS → RUB) INIPoK Sept 2012 52 / 63
A Stronger Security Model
S wants to send a message P to U, if U owns/uses a valid signature.
Security Notions
Oblivious w.r.t. the authority:the authority does not know whether U uses a valid signature;
Semantic Security: U cannot distinguish multiple interactions with :S sending P0 from those with S sending P1
if he does not own/use a valid signature;
Semantic Security w.r.t. the Authority: after the interaction,the authority does not learn any information about P.
O. Blazy (ENS → RUB) INIPoK Sept 2012 53 / 63
Our New OSBE [TCC 2012: BPV]
S wants to send a message P to U, if U owns a valid σ(m) under vk:
With a Smooth Projective Hash Function
L: C = C(σ, r) contains a valid σ(m) under vk
the user U sends an encryption C of σ;
A generates hk and the associated hp,computes H = Hash(hk;C ),and sends hp together with c = P ⊕ H;
U computes X = ProjHash(hp;C , r), and gets P.
Lin(pk,m) : {C(m)} WLin(pk, vk,m) : {C(σ(m))}
(U,V ,W ,G ) ∈WLin(pk, vk,m):∃r , s ∈ Zp, (U,V ,W ) = (ur , v s , g r+sσ), e(σ, g) = e(h, vk) · e(F(m),G )
O. Blazy (ENS → RUB) INIPoK Sept 2012 54 / 63
Security Properties
X Oblivious w.r.t. the authority: IND-CPA of the encryption scheme(Hard-partitioned Subset of the SPHF);
X Semantic Security: Smoothness of the SPHF
X Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF
Semantic Security w.r.t. the Authority requires one interaction round-optimalStandard model with Waters Signature + Linear Encryption CDH and DLin
O. Blazy (ENS → RUB) INIPoK Sept 2012 55 / 63
Security Properties
X Oblivious w.r.t. the authority: IND-CPA of the encryption scheme(Hard-partitioned Subset of the SPHF);
X Semantic Security: Smoothness of the SPHF
X Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF
Semantic Security w.r.t. the Authority requires one interaction round-optimalStandard model with Waters Signature + Linear Encryption CDH and DLin
O. Blazy (ENS → RUB) INIPoK Sept 2012 55 / 63
Security Properties
X Oblivious w.r.t. the authority: IND-CPA of the encryption scheme(Hard-partitioned Subset of the SPHF);
X Semantic Security: Smoothness of the SPHF
X Semantic Security w.r.t. the Authority: Pseudo-randomness of the SPHF
Semantic Security w.r.t. the Authority requires one interaction round-optimalStandard model with Waters Signature + Linear Encryption CDH and DLin
O. Blazy (ENS → RUB) INIPoK Sept 2012 55 / 63
Q
σ
P
ck, σ; r
Commit
c
hk = HashKGL
hp = ProjKGL(hk, c)
σ(m)
H = HashL(hk, c)
Q = P ⊕H
ProjHashL(hp,C ;w) = H ′
P ′ = Q ⊕ H ′
L = WLin(ck, vk,m) e(X , g) = e(F(m), σ2) · e(vk, h)
O. Blazy (ENS → RUB) INIPoK Sept 2012 56 / 63
Blind-Signatures [TCC 2012: BPV]
s ′
dk
r
pk, r
dk
sk,pk,c;s
σ(C )σ(F)
CF(M)
EncryptSE
DecryptE
r
SigExtSE
SignSE
RandomS
SignerUser
Groth Sahai9 `+ 24
O. Blazy (ENS → RUB) INIPoK Sept 2012 57 / 63
Blind-Signatures [TCC 2012: BPV]
s ′
dk
r
pk, r
dk
sk,pk,c;s
σ(C )σ(F)
CF(M)
EncryptSE
DecryptE
r
SigExtSE
SignSE
RandomS
SignerUser
Groth Sahai9 `+ 24
SPHF8 `+ 12
Languages
BLin: {0, 1},ELin:{C(C(...))}.
O. Blazy (ENS → RUB) INIPoK Sept 2012 57 / 63
Password Authenticated Key Exchange
Alice Bob
→ C(pwB)
C(pwA), hpB ←→ hpA
HB · H ′A H ′B · HA
Same value i� both passwords are the same, and users know witnesses.
O. Blazy (ENS → RUB) INIPoK Sept 2012 58 / 63
Language Authenticated Key Exchange
Alice Bob
→ C(LB), C(L′A), C(MB)
C(LA), C(L′B), C(MA), hpB ←→ hpA
HB · H ′A H ′B · HA
Same value i� languages are as expected, and users know witnesses.
O. Blazy (ENS → RUB) INIPoK Sept 2012 59 / 63
Di�e Hellman / Linear Tuple
Conjunction / Disjunction
(g , h,G = g a,H = ha) Valid Di�e Hellman tuple?hp = gκhλ hpa = GκHλ
Oblivious Transfer, Implicit Opening of a ciphertext
(U = ua,V = vb,W = g a+b) Valid Linear tuple?hp = uκgλ, vµgλ hpa1hp
b2 = UκV µW λ
O. Blazy (ENS → RUB) INIPoK Sept 2012 60 / 63
Di�e Hellman / Linear Tuple
Conjunction / Disjunction
(g , h,G = g a,H = ha) Valid Di�e Hellman tuple?hp = gκhλ hpa = GκHλ
Oblivious Transfer, Implicit Opening of a ciphertext
(U = ua,V = vb,W = g a+b) Valid Linear tuple?hp = uκgλ, vµgλ hpa1hp
b2 = UκV µW λ
O. Blazy (ENS → RUB) INIPoK Sept 2012 60 / 63
Di�e Hellman / Linear Tuple
Conjunction / Disjunction
L1 ∩ L2 Simultaneous veri�cationhp = hp1, hp2 H ′1 · H ′2 = H1 · H2
∧Ai
O. Blazy (ENS → RUB) INIPoK Sept 2012 60 / 63
Di�e Hellman / Linear Tuple
Conjunction / Disjunction
L1 ∩ L2 Simultaneous veri�cationhp = hp1, hp2 H ′1 · H ′2 = H1 · H2
∧Ai
L1 ∪ L2 One out of 2 conditionshp = hp1, hp2, hp∆ H ′ = L1?hpw1
1 : hpw22 · hp∆ = X hk1
1
Is it a bit?
O. Blazy (ENS → RUB) INIPoK Sept 2012 60 / 63
Di�e Hellman / Linear Tuple
Conjunction / Disjunction
L1 ∩ L2 Simultaneous veri�cationhp = hp1, hp2 H ′1 · H ′2 = H1 · H2
∧Ai
L1 ∪ L2 One out of 2 conditionshp = hp1, hp2, hp∆ H ′ = L1?hpw1
1 : hpw22 · hp∆ = X hk1
1
Is it a bit?
BLin.
O. Blazy (ENS → RUB) INIPoK Sept 2012 60 / 63
(Linear) Cramer-Shoup Encryption
Commitment of a commitment
Linear Pairing Equations
Quadratic Pairing Equation
(e = hrM, u1 = g r1 , u2 = g r
2 , v = (cdα)r ) Veri�ability of the CShp = gκ1 g
µ2 (cd
α)ηhλ hpr = uκ1 uµ2 v
η(e/M)λ
Implicit Opening of a ciphertext, veri�ability of a ciphertext, PAKE
(g r1 , g
s2 , g
r+s3 , hr1h
s2M, (c1d
α1 )
r )(c2dα2 )
s) Veri�ability of the LCShp = gκ1 g
θ3 (c1d
α1 )ηhλ, gµ2 g
θ3 (c1d
α1 )ηhλ hpr1 · hps2 = uκ1 u
µ2 u
θ3v
η(e/M)λ
O. Blazy (ENS → RUB) INIPoK Sept 2012 61 / 63
(Linear) Cramer-Shoup Encryption
Commitment of a commitment
Linear Pairing Equations
Quadratic Pairing Equation
(e = hrM, u1 = g r1 , u2 = g r
2 , v = (cdα)r ) Veri�ability of the CShp = gκ1 g
µ2 (cd
α)ηhλ hpr = uκ1 uµ2 v
η(e/M)λ
Implicit Opening of a ciphertext, veri�ability of a ciphertext, PAKE
(g r1 , g
s2 , g
r+s3 , hr1h
s2M, (c1d
α1 )
r )(c2dα2 )
s) Veri�ability of the LCShp = gκ1 g
θ3 (c1d
α1 )ηhλ, gµ2 g
θ3 (c1d
α1 )ηhλ hpr1 · hps2 = uκ1 u
µ2 u
θ3v
η(e/M)λ
O. Blazy (ENS → RUB) INIPoK Sept 2012 61 / 63
(Linear) Cramer-Shoup Encryption
Commitment of a commitment
Linear Pairing Equations
Quadratic Pairing Equation
(U = ua,V = v s ,G = hsg a) Previous Language ELinhp = uηgλ, vθhλ hpa1hp
s2 = UηV θGλ
O. Blazy (ENS → RUB) INIPoK Sept 2012 61 / 63
(Linear) Cramer-Shoup Encryption
Commitment of a commitment
Linear Pairing Equations
Quadratic Pairing Equation(∏i∈Ak
e(Yi ,Ak,i )
)·
(∏i∈Bk
ZiZk,i
)= Dk
For each variables: hpi = uκigλ, vµigλ(∏i∈Ak
e(hpwi
i ,Ak,i ))·(∏
i∈BkHP
Zk,iwi
i
)=(∏
i∈Ake(Hi ,Ak,i )
)·(∏
i∈BkHi
Zk,i)/Dλk
Knowledge of a secret key, Knowledge of a (secret) signature on a (secret)message valid under a (secret) veri�cation key, . . .
O. Blazy (ENS → RUB) INIPoK Sept 2012 61 / 63
(Linear) Cramer-Shoup Encryption
Commitment of a commitment
Linear Pairing Equations
Quadratic Pairing Equation ∏i≤j∈Ak
e(Yi ,Ak,i ) · e(Yi ,Yj)γi,j ·(∏
i∈Bk
ZZk,i
i
)= Dk
Anonymous membership to a group, other way to do BLin,. . .e(gb, g1−b) = 1T
O. Blazy (ENS → RUB) INIPoK Sept 2012 61 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
Privacy-preserving protocols:
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
Privacy-preserving protocols:
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
Privacy-preserving protocols:
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
X Certi�cation of Public Keys [ACP09]
Privacy-preserving protocols:
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
X Certi�cation of Public Keys [ACP09]
Privacy-preserving protocols:
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
X Certi�cation of Public Keys [ACP09]
Privacy-preserving protocols:
X Blind signatures [TCC 2012: BPV]
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
X Certi�cation of Public Keys [ACP09]
Privacy-preserving protocols:
X Blind signatures [TCC 2012: BPV]
X Oblivious Signature-Based Envelope [TCC 2012: BPV]
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
X Certi�cation of Public Keys [ACP09]
Privacy-preserving protocols:
X Blind signatures [TCC 2012: BPV]
X Oblivious Signature-Based Envelope [TCC 2012: BPV]
X (v)-PAKE, LAKE, Secret Handshakes [eprint/sub 2012: BPCV]
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
X Certi�cation of Public Keys [ACP09]
Privacy-preserving protocols:
X Blind signatures [TCC 2012: BPV]
X Oblivious Signature-Based Envelope [TCC 2012: BPV]
X (v)-PAKE, LAKE, Secret Handshakes [eprint/sub 2012: BPCV]
X E-Voting [sub 2012: BP]
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Smooth Projective Hash Functions =̂ implicit proofs of knowledge
Various Applications:
X IND-CCA [CS02]
X PAKE [GL03]
X Certi�cation of Public Keys [ACP09]
Privacy-preserving protocols:
X Blind signatures [TCC 2012: BPV]
X Oblivious Signature-Based Envelope [TCC 2012: BPV]
X (v)-PAKE, LAKE, Secret Handshakes [eprint/sub 2012: BPCV]
X E-Voting [sub 2012: BP]
4 Many more Round optimal applications?
O. Blazy (ENS → RUB) INIPoK Sept 2012 62 / 63
Groth-Sahai
Allows to combine e�ciently classical building blocks
Allows several kind of new signatures under standard hypotheses
Smooth Projective Hash Functions
Can handle more general languages under better hypotheses
Do not add any extra-rounds in an interactive scenario
More e�cient in the usual cases
O. Blazy (ENS → RUB) INIPoK Sept 2012 63 / 63
Groth-Sahai
Allows to combine e�ciently classical building blocks
Allows several kind of new signatures under standard hypotheses
Smooth Projective Hash Functions
Can handle more general languages under better hypotheses
Do not add any extra-rounds in an interactive scenario
More e�cient in the usual cases
O. Blazy (ENS → RUB) INIPoK Sept 2012 63 / 63